SkyDog Con CTF 2016 - Catch Me If You Can

Difficulty: Beginner/Intermediate

Instructions:
The CTF is a virtual machine and works best in Virtual Box. Download the OVA file open up Virtual Box and then select File –> Import Appliance. Choose the OVA file from where you downloaded it. After importing the OVA file above make sure that USB 2.0 is disabled before booting up the VM. The networking is setup for a Host-Only Adapter by default but you can change this before booting up depending on your networking setup. The Virtual Machine Server is configured for DHCP. If you have any questions please send me a message on Twitter @jamesbower and I’ll be happy to help.

Flags

The eight flags are in the form of flag{MD5 Hash} such as flag{1a79a4d60de6718e8e5b326e338ae533

Flag #1 Don’t go Home Frank! There’s a Hex on Your House.

Flag #2 Obscurity or Security?

Flag #3 Be Careful Agent, Frank Has Been Known to Intercept Traffic Our Traffic.

Flag #4 A Good Agent is Hard to Find.

Flag #5 The Devil is in the Details - Or is it Dialogue? Either Way, if it’s Simple, Guessable, or Personal it Goes Against Best Practices

Welcome to another boot2root / CTF this one is called Teuchter. The VM is set to grab
a DHCP lease on boot. As with my previous VMs, there is a theme, and you will need to
snag the flag in order to complete the challenge. Less hochmagandy and more studying
is needed for this one!

A word of warning: The VM has a small HDD so please set the disk to non persistent so
you can always revert. You may need to set the MAC to 00:0C:29:65:D0:A0 too.

Hints for you:

This VM is designed to be a bit of a joke/troll so a translator might be useful.

Welcome to "IMF", my first Boot2Root virtual machine. IMF is a intelligence agency that you must hack to get all flags and ultimately root. The flags start off easy and get harder as you progress. Each flag contains a hint to the next flag. I hope you enjoy this VM and learn something.

IMF.ova

IMPORTANT NOTE: do not use host-only mode, as issues have been discovered. Set the Billy Madison VM to "auto-detect" to get a regular DHCP address off your network.

Plot:
Help Billy Madison stop Eric from taking over Madison Hotels!

Sneaky Eric Gordon has installed malware on Billy's computer right before the two of them are set to face off in an academic decathlon. Unless Billy can regain control of his machine and decrypt his 12th grade final project, he will not graduate from high school. Plus, it means Eric wins, and he takes over as head of Madison Hotels!

Objective:
The primary objective of the VM is to figure out how Eric took over the machine and then undo his changes so you can recover Billy's 12th grade final project. You will probably need to root the box to complete this objective.

The DEFCON CTF VM

Over the past 6 years, I've been collecting pieces of the DEFCON CTF's past and attempting to preserve them in a way that will allow future generations to enjoy the game. With the conclusion of DARPA's Cyber Grand Challenge and the start of DEFCON 24's CTF Finals, I'm releasing what I have. It's not 100% finished (I've been way too busy lately), but it is usable!

TL;DR: The most recent copy of the VM is v0.1.0 and can be downloaded here. Credentials are below.

How do I use this stuff?

Booting the virtual machine should be all that's required to get services up and running. To interact with a service, simply open a socket connection to the VM on that service's port. On a *nix system, this can be done in a terminal with netcat: nc xxx.xxx.xxx.xxx yyyyy (X's represent the IP address, Y's represent the port number)

Of course, this just gets you a connection. The game requires you to find and patch/exploit flaws in each service. To do this (for most services), you will need to disassemble and step through the compiled executable by hand.

The industry-standard tool for reverse engineering is IDA Pro. Alternatives include Hopper and the recently-released Binary Ninja. If you don't want to spring for a license (or use the free demo version), the Binary Ninja prototype is open-source. Radare is another open-source alternative. And, of course, no discussion of disassemblers would be complete without mentioning objdump, which should be readily available on *nix systems in your distribution's repositories.

To assist newcomers in understanding how to find, patch, and exploit vulnerable code in these services, I have also published a fully detailed walkthrough of one of the services from DEFCON as a tutorial:

Download

Second in a multi-part series, Breach 2.0 is a boot2root/CTF challenge which attempts to showcase a real-world scenario, with plenty of twists and trolls along the way.

The VM is configured with a static IP (192.168.110.151) so you'll need to configure your host only adaptor to this subnet. Sorry! Last one with a static IP ;)

A hint: Imagine this as a production environment during a busy work day.

Shout-out to knightmare for many rounds of testing and assistance with the final configuration as well as rastamouse, twosevenzero and g0blin for testing and providing valuable feedback. As always, thanks to g0tmi1k for hosting and maintaining #vulnhub.

VirtualBox users: if the screen goes black on boot once past the grub screen make sure to go to settings ---> general, and make sure it says Type: Linux Version: Debian 64bit

If you run into any issues, you can find me on Twitter: https://twitter.com/mrb3n813 or on IRC in #vulnhub.

Looking forward to the write-ups, especially any unintended paths to local/root.

Walkthroughs

The links below are community submitted 'solutions' showing hints/nudges or possibly a complete walkthrough* of how they solved the puzzle.

Please note, there could be (many) more methods of completing this, they just haven't, either been discovered, or submitted. If you know something that isn't listed, please submit it or get in touch and we would be glad to add it.

* This is a spoiler. It could possibly show you a way of completely solving it.

Download Links

Here you can download the mentioned files using various methods.

We have listed the original source, from the author's page. However, after time these links 'break', for example: either the files are moved, they have reached their maximum bandwidth limit, or, their hosting/domain has expired.

For these reasons, we have been in touch with each author asking for permission to mirror the files. If the author has agreed, we have created mirrors. These are untouched copies of the listed files. (You can check for yourself via the MD5 & SHA1 checksums which are individually displayed on their entry page. See how here).

We also offer the download via BitTorrent. We prefer that people use BitTorrent, however, we do understand that it is not as straight forward as clicking on a direct link.

To make sure everyone using VulnHub has the best experience possible using the site, we have had to

limit the amount of simultaneous direct download files to two files, with a max speed of 3mb

.
This is because the average file size is currently about 700mb, which causes our bandwidth to be high (couple of terabytes each month!). As this is a privately funded project, we believe we have chosen the best hosting provider for the limited budget.

If would you like to be able to download a mass, and at quicker speed, please use torrents as these will be seeded 24/7. For a guide on how to setup and use torrents, see here.

If you're the owner of a listed file or believe that we are unlawfully distributing files without permission, please get in touch here.